fix(deps): update module github.com/go-chi/chi/v5 to v5.3.0 by renovate[bot] · Pull Request #474 · purpleclay/go-overlay

renovate · 2026-05-22T18:11:14Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/go-chi/chi/v5	`v5.2.5` → `v5.3.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

go-chi/chi (github.com/go-chi/chi/v5)

`v5.3.0`

Compare Source

What's Changed

Use strings.ReplaceAll where applicable by @JRaspass in #1046
Propagate inline middlewares across mounted subrouters by @LukasJenicek in #1049
add go 1.26 to ci by @pkieltyka in #1052
Remove last uses of io/ioutil by @JRaspass in #1054
Simplify chi.walk with slices.Concat by @JRaspass in #1053
Apply the stringscutprefix modernizer by @JRaspass in #1051
Bump minimum Go to 1.23, always use request.Pattern by @JRaspass in #1048
middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @alliasgher in #1085
Fix typo in Route doc comment by @gouwazi in #1073
fix: set Request.Pattern from RoutePattern() by @leno23 in #1097
feat: middleware.ClientIP, a replacement for middleware.RealIP by @VojtechVitek in #967

New Contributors

@LukasJenicek made their first contribution in #1049
@alliasgher made their first contribution in #1085
@gouwazi made their first contribution in #1073
@leno23 made their first contribution in #1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

PR #967 introduced middleware.ClientIP, a replacement for middleware.RealIP that closes the three open spoofing advisories:

GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)
GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your
infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
func ClientIPFromRemoteAddr(h http.Handler) http.Handler

// Read the result.
func GetClientIP(ctx context.Context) string         // for logs, rate-limit keys
func GetClientIPAddr(ctx context.Context) netip.Addr // for typed work

Example usage:

// Pick a single ClientIP middleware based on your deployment
  
// Cloudflare.
r.Use(middleware.ClientIPFromHeader("CF-Connecting-IP"))

// Nginx with ngx_http_realip_module.
r.Use(middleware.ClientIPFromHeader("X-Real-IP"))

// Apache with mod_remoteip.
r.Use(middleware.ClientIPFromHeader("X-Client-IP"))

// AWS CloudFront, or any proxy fleet with known CIDRs.
r.Use(middleware.ClientIPFromXFF(
    "13.32.0.0/15",   // CloudFront IPv4
    "52.46.0.0/18",   // CloudFront IPv4
    "2600:9000::/28", // CloudFront IPv6
))

// Behind exactly 2 trusted proxies with dynamic IPs (autoscaling pools,
// ephemeral containers, dynamic CDN edges).
r.Use(middleware.ClientIPFromXFFTrustedProxies(2))

// Server directly on the public internet, no proxy in front.
r.Use(middleware.ClientIPFromRemoteAddr)

And in your handler or downstream middleware:

clientIP := middleware.GetClientIP(r.Context())
// log it, use it as a rate-limit key, etc.

Thanks to @adam-p, @c2h5oh, @rezmoss, @Saku0512, @convto, @Dirbaio, @jawnsy, @lrstanley, @mfridman, @n33pm, @pkieltyka for the prior discussions, detailed reviews, advisory reports, and test contributions that shaped this PR.

Full Changelog: go-chi/chi@v5.2.5...v5.3.0

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Signed-off-by: purpleclay <purpleclaygh@gmail.com> Co-authored-by: Purple Clay <purpleclaygh@gmail.com>

Signed-off-by: purpleclay <purpleclaygh@gmail.com>

Closes #505 vendor.yml always regenerated govendor.toml at the repo root regardless of which go.mod/go.sum actually changed, so Renovate bumps to `templates/{default,workspace,image}` left those directories' manifests drifted and silently broke CI (#474). Add a detect job that diffs the PR's base/head SHAs for changed go.mod/go.sum files and passes every affected directory to govendor-update.yml, which now loops over each one and folds all regenerated manifests into a single amended commit. Signed-off-by: purpleclay <purpleclaygh@gmail.com>

…513) Closes #505 vendor.yml always regenerated govendor.toml at the repo root regardless of which go.mod/go.sum actually changed, so Renovate bumps to `templates/{default,workspace,image}` left those directories' manifests drifted and silently broke CI (#474). Add a detect job that diffs the PR's base/head SHAs for changed go.mod/go.sum files and passes every affected directory to govendor-update.yml, which now loops over each one and folds all regenerated manifests into a single amended commit. Signed-off-by: purpleclay <purpleclaygh@gmail.com>

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Purple Clay <purpleclaygh@gmail.com>

renovate Bot requested a review from purpleclay as a code owner May 22, 2026 18:11

renovate Bot added minor renovate labels May 22, 2026

renovate Bot assigned purpleclay May 22, 2026

pull-request-size Bot added the size/XS label May 22, 2026

renovate Bot force-pushed the renovate/github.com-go-chi-chi-v5-5.x branch 2 times, most recently from 5e893ba to a2afeab Compare June 2, 2026 21:26

renovate Bot changed the title ~~fix(deps): update module github.com/go-chi/chi/v5 to v5.3.0~~ fix(deps): update module github.com/go-chi/chi/v5 to v5.3.0 - autoclosed Jun 4, 2026

renovate Bot closed this Jun 4, 2026

renovate Bot deleted the renovate/github.com-go-chi-chi-v5-5.x branch June 4, 2026 13:55

renovate Bot changed the title ~~fix(deps): update module github.com/go-chi/chi/v5 to v5.3.0 - autoclosed~~ fix(deps): update module github.com/go-chi/chi/v5 to v5.3.0 Jun 4, 2026

renovate Bot reopened this Jun 4, 2026

renovate Bot force-pushed the renovate/github.com-go-chi-chi-v5-5.x branch 8 times, most recently from c6b9f2f to f0ef9a4 Compare June 11, 2026 07:16

renovate Bot force-pushed the renovate/github.com-go-chi-chi-v5-5.x branch 8 times, most recently from 476596a to 61330bc Compare June 18, 2026 04:51

renovate Bot force-pushed the renovate/github.com-go-chi-chi-v5-5.x branch 2 times, most recently from df12c80 to f016c02 Compare June 20, 2026 08:37

This was referenced Jun 20, 2026

Renovate dependency updates on templates fail during CI due to govendor.toml not updating #505

Closed

test: validate #505 govendor-update fix (disposable, do not merge) #512

Closed

purpleclay added a commit that referenced this pull request Jun 21, 2026

test: reproduce #474 chi v5.3.0 bump to validate govendor-update fix

5fd508d

Signed-off-by: purpleclay <purpleclaygh@gmail.com> Co-authored-by: Purple Clay <purpleclaygh@gmail.com>

purpleclay added a commit that referenced this pull request Jun 21, 2026

test: reproduce #474 chi v5.3.0 bump to validate govendor-update fix

8dbbbd3

Signed-off-by: purpleclay <purpleclaygh@gmail.com>

renovate Bot force-pushed the renovate/github.com-go-chi-chi-v5-5.x branch from f016c02 to c8a50ae Compare June 21, 2026 13:46

fix(deps): update module github.com/go-chi/chi/v5 to v5.3.0

53c7bc4

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Purple Clay <purpleclaygh@gmail.com>

purpleclay force-pushed the renovate/github.com-go-chi-chi-v5-5.x branch from c8a50ae to 53c7bc4 Compare June 21, 2026 13:47

purpleclay merged commit cf269f4 into main Jun 21, 2026
9 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update module github.com/go-chi/chi/v5 to v5.3.0#474

fix(deps): update module github.com/go-chi/chi/v5 to v5.3.0#474
purpleclay merged 1 commit into
mainfrom
renovate/github.com-go-chi-chi-v5-5.x

renovate Bot commented May 22, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

renovate Bot commented May 22, 2026

Release Notes

v5.3.0

What's Changed

New Contributors

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

Why a new middleware (not "fix RealIP in place")

The new API

Example usage:

Configuration

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

`v5.3.0`